How to: Fix Windows Hello convenience PIN, “This option is currently unavailable”

If you have a scenario where an AD domain joined, Azure AD joined or Hybrid Azure AD joined computer is saying that the Windows Hello features are currently unavailable, try these steps. This guide covers how to enable Windows Hello, NOT Windows Hello for Business.

Disclaimer: You take full responsibility for any issue that might occur by choosing to follow any of the steps below.

  1. Clear the TPM. Most guides on the internet discussing this issue describe the steps below as the solution, but most do not mention what helped me – clearing the TPM! I mention this first since it was the last piece of the puzzle for me, and if you have been searching the web for a solution you probably already have tried the steps below. They are also mandatory, so follow along if this step alone did not help.

    To clear the TPM, run tpm.msc as an administrator and select “Clear TPM” in the right pane. I recommend suspending the BitLocker protection of the OS drive (if you have BitLocker encrypted that drive) before clearing the TPM, to make signing back in after the required restart a bit easier.

  2. Make sure no GPO (in AD) or Configuration profiles (in Intune) affecting your computer(s) have either enabled or disabled “Windows Hello for Business”. For Intune, also check the Windows Hello for Business enrollment settings under Devices/Windows/Windows enrollment. These settings need to be “Not configured”. If any of these settings are configured in any way, Windows Hello for Business will take precedence on the computer, and not allow the regular Windows Hello to operate.

  3. Enable the “Turn on convenience PIN sign-in” setting, either via GPO (in AD) or a Configuration profile (in Intune).

    GPO:
    Computer Configuration/Policies/Administrative Templates/System/Logon/Turn on convenience PIN sign-in

    or

    Configuration profile:
    Platform: Windows 10 and later
    Profile type: Templates
    Template name: Administrative templates
    Setting: Turn on convenience PIN sign-in

  4. Delete the Ngc folder. The folder is located at C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft

If you have followed the steps above and still haven’t resolved the issue – try another restart. If it still does not work – make sure that the GPO or Configuration profile are actually affecting the computer. It is easy to forget a required step while making or modifying a GPO or Configuration profile, so the change does not affect the computer(s) as intended.